tele9752wikiaorg-20200213-history
XxFQ
Background: Know: timeliness, engineBoots, engineTime, Recognize: prereq - clock drift, communication delays Timeliness Checking Timeliness means destination receives messages just after source send them and not excessively delayed or replayed. To achieve timeliness in User Security Model, each engine should track Boots & Time for other engines because there is no global clock. More details about how to ensure timeliness: Sender estimates time at receiver, records latestReceivedEngineTime and updates Boots & Time according to reply: Consider sender and receiver are agent and manager. Once a manager has learned the snmpEngineBoots and snmpEngineTime of an agent, the manager must maintain its own local notion of what these values are supposed to be. This requires the manager to increment the learned snmpEngineTime every second so the value will be very close to the master values maintained by the agent. If the snmpEngineTime rolls over, then the snmpEngineBoots must be incremented. A manager must keep local notions of these values for each agent in which it wishes to communicate. Receiver rejects messages that are old: The timeliness checks by an agent are considered part of the authentication process and are done right after the received packet has been authenticated. If the msgAuthoritativeEngineBoots is different than the agent's current value of the snmpEngineBoots, the packet is discarded and a discovery packet is sent back to the manager. If that check passes, then the msgAuthoritativeEngineTime is checked against the agent's current value of the snmpEngineTime. If the difference between the two is more or less than 150 seconds (150s allows for clock drift and communication delays), the packet is discarded and a discovery packet is sent back to the manager. If both of the checks pass, then the packet is considered to have been received in a timely manner and processing continues. Reference More details about SNMPv3 and User Security Model in [RFC3414] Unsorted material from xxL3 Timeliness: This is a feature which allows the SNMP Engine to check if the information is arriving in timely manner. Any significant delay indicates that the information may have been intercepted, stored and then retransmitted. Any information received outside the time window is rejected. SNMP Engine performs this check by the use of two INTEGER values - snmpEngineBoots & snmpEngineTime. snmpEngineBoots stores the number of times the SNMP engine has rebooted since the intial configuration. And, snmpEngineTime stores the number of seconds passed since the last boot up. snmpEngineTime is a counter, so if it is maxed then it wraps around and SNMP engine increments the snmpEngineBoots value by 1. Timeliness check is performed by verifying that engine boots value is identical between the arriving packet and the stored value on the authoritative SNMP engine and that engine time is within 150 seconds of the value on the authoritative SNMP engine. In other words, if engine boots in the incoming packet is not equal to the local value and time is outside the 150 second window when compared with the local value, authoritative SNMP engine will discard the packet. Category:All